Trusteer Bypassed !

[CloneRanger]

w32h4x0r has more info etc !

Quote:

I wanted to share here my experience with the security software Trusteer Rapport

*

I tried to download it and break its security, and I have been able to break its layer of security from user mode in less than 10 minutes.

http://www.kernelmode.info/forum/vie...a16290302afe5f

Video here -http://vimeo.com/33341011

[shadek]

Nice find. Was it x64 platform or 32-bit?

[The Hammer]

What are the banks going to do now?

[m00nbl00d]

Quote:

Originally Posted by The Hammer

What are the banks going to do now?

Sue Trusteer and partner with Webroot?

[LoneWolf]

Thats why a layered defense is the best defense.
Relying on one solution in todays world is to risky, if it's bypassed it's game over.

[AaLF]

Trouble is only a handful of people use a layered defense. The masses expect Trusteer to deliver just as they expect an AV to deliver etc. And they dont have the time. SET & FORGET is what's demanded.

If Trusteer was breached then what about the Internet Security Suites. Many boast safe-on-line banking. I'll bet they haven't made as much effort as Trusteer.

[m00nbl00d]

Sometime ago I came with the perfect solution to defeat keyloggers running in user land, under Windows Vista/7.

Keyloggers were completely blind to the browsers.

Obviously, it was just a test. But, I've set the browser with an explicit high integrity level, and I've applied the flags NoReadUp, NoWriteUp and no NoExecuteUp.

I think NoReadUp would suffice, though. I need to verify it.

I ran the browser as administrator, because you can only run High integrity level objects and containers as administrator.

But, by allowing communications to happen only with the bank's IP(s), then what harm can happen? That would mean intruders were already inside the bank's servers, wouldn't it?

Crazy ideas...

[AaLF]

Quote:

Obviously, it was just a test. But, I've set the browser with an explicit high integrity level, and I've applied the flags NoReadUp, NoWriteUp and no NoExecuteUp.

Anything like that in XP?

So does this leave Prevx safeonline as the only free alternative?

[m00nbl00d]

Quote:

Originally Posted by AaLF

Anything like that in XP?

So does this leave Prevx safeonline as the only free alternative?

Microsoft only implemented integrity levels in Windows Vista+. Windows XP users have no luck.

The only alternative would be to run the browser in a secure desktop. avast! paid products offer this functionality.

There's at least one more application (free; I think the code is available as well), that would allow people to do that as well (to run applications in a secure desktop). I don't recall the name. I'll have to look it up.

[MrBrian]

Programs running in the secure desktop vs. keyloggers, screen loggers, etc.

[vojta]

http://www.trusteer.com/support/en/about-rapport

Is Rapport hacker-proof?

Unfortunately, no security solution is. Rapport adds a very important and unique security layer that allows your bank to better protect your sensitive information and promptly react to threats aimed directly at you. With Rapport you are more secure and your bank has better mechanisms to protect your money. However, security is a constant battle and Rapport, as your antivirus solution or any other security product you use, makes it harder for criminals to commit crime.

It's really amusing to see "it's the end of Trusteer!" reactions just because of the typical "see how I bypassed X" video. What security app is immune to this? None.

[m00nbl00d]

Quote:

Originally Posted by MrBrian

Programs running in the secure desktop vs. keyloggers, screen loggers, etc.

That's it! Thanks!

[CloneRanger]

@ vojta

I don't see any "it's the end of Trusteer!" reactions ? only justified concerns !

Quote:

What security app is immune to this? None.

How do you know that ?

Over on KM w32h4x0r has asked for other Apps to test it against, so hopefully we''ll see how they shape up, or not

[vojta]

Quote:

Originally Posted by CloneRanger

@ vojta

I don't see any "it's the end of Trusteer!" reactions ? only justified concerns !

Like in...

Quote:

Originally Posted by The Hammer

What are the banks going to do now?

Quote:

Originally Posted by m00nbl00d

Sue Trusteer and partner with Webroot?

Quote:

Originally Posted by AaLF

So does this leave Prevx safeonline as the only free alternative?

Now, if you tell me that they are just jocking around, that's another thing.

Quote:

Originally Posted by CloneRanger

How do you know that ?

That no app is immune and everyone can be bypassed one way or another by a hacker operating with admin privileges in front of a computer? I don't know, crazy ideas. For example, Safe Online, that has been quoted here as an alternative to the the now 'flawed' trusteer, is bypassed east, west, north and south by the MRG's simulators and their real world malware tests daily.

[m00nbl00d]

Quote:

Originally Posted by vojta

Like in...





Now, if you tell me that they are just jocking around, that's another thing.
[...]

I obviously cannot answer for the others, but I fail to see how my comment fits on your description, "it's the end of Trusteer!"?

Now, if you don't know whether or not someone is joking, perhaps you should ask the person directly.

[Esse]

Nice explanation of Rapport and its functions, regarding this video by Chris over at MRG.

http://forums.malwareresearchgroup.c....php?f=7&t=634

/Esse

[vojta]

Quote:

Originally Posted by Esse

Nice explanation of Rapport and its functions, regarding this video by Chris over at MRG.

http://forums.malwareresearchgroup.c....php?f=7&t=634

/Esse

"Yeah, we saw this. The fact of the matter is you can design a POC tool to bypass ANY specific security application."


A very interesting post, including the last paragraph.

[PrevxHelp]

Quote:

Originally Posted by vojta

That no app is immune and everyone can be bypassed one way or another by a hacker operating with admin privileges in front of a computer? I don't know, crazy ideas. For example, Safe Online, that has been quoted here as an alternative to the the now 'flawed' trusteer, is bypassed east, west, north and south by the MRG's simulators and their real world malware tests daily.

This is not true with the updated version of WSA in 8.0.1.x, and we will be offering a free version similar to SafeOnline in the coming weeks

[m00nbl00d]

Quote:

Originally Posted by PrevxHelp

This is not true with the updated version of WSA in 8.0.1.x, and we will be offering a free version similar to SafeOnline in the coming weeks

I suppose it's always good to have one more coming to the fight - in the freeware world.

I don't mean to hijack this thread, so you can answer in Prevx forum or PM, but will it come as a Xmas present?

[Thankful]

Quote:

Originally Posted by PrevxHelp

This is not true with the updated version of WSA in 8.0.1.x, and we will be offering a free version similar to SafeOnline in the coming weeks

What's new with the new version of WSA that it won't be bypassed by MRG's tests?

[PrevxHelp]

Quote:

Originally Posted by Thankful

What's new with the new version of WSA that it won't be bypassed by MRG's tests?

I don't want to derail the thread but we made several improvements about a month ago which closed off any known vulnerabilities from malware or other testing.

[Thankful]

Quote:

Originally Posted by PrevxHelp

I don't want to derail the thread but we made several improvements about a month ago which closed off any known vulnerabilities from malware or other testing.

Great.

[The Hammer]

Quote:

Originally Posted by PrevxHelp

I don't want to derail the thread but we made several improvements about a month ago which closed off any known vulnerabilities from malware or other testing.

Looks like you've been beat again. Or does this not count? http://malwareresearchgroup.com/

[PrevxHelp]

Quote:

Originally Posted by The Hammer

Looks like you've been beat again. Or does this not count? http://malwareresearchgroup.com/

And the cat/mouse game continues

[TonyW]

As always is the case between vendor & malware authors/researchers.